From c1292555085e63c4f31a6ffd5b43ede66297efe7 Mon Sep 17 00:00:00 2001 From: Diogo Correia Date: Mon, 1 Sep 2025 22:36:10 +0100 Subject: [PATCH] nixos/grocy: don't set X-XSS-Protection anymore Part of #438800. The OWASP recommentation[1] is: > The X-XSS-Protection header has been deprecated by modern browsers > and its use can introduce additional security issues on the client > side. As such, it is recommended to set the header as X-XSS-Protection: 0 > in order to disable the XSS Auditor, and not allow it to take the default > behavior of the browser handling the response. Please use > Content-Security-Policy instead. [1] https://owasp.org/www-project-secure-headers/#x-xss-protection --- nixos/modules/services/web-apps/grocy.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/modules/services/web-apps/grocy.nix b/nixos/modules/services/web-apps/grocy.nix index c0cd4cb67644..ce5be95ce6f3 100644 --- a/nixos/modules/services/web-apps/grocy.nix +++ b/nixos/modules/services/web-apps/grocy.nix @@ -191,7 +191,6 @@ in locations."~ \\.(js|css|ttf|woff2?|png|jpe?g|svg)$".extraConfig = '' add_header Cache-Control "public, max-age=15778463"; add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none;